tag:blogger.com,1999:blog-10772672754640727552024-03-13T05:41:40.718-07:00SSL Certificates using OpenSSL.Manmohanhttp://www.blogger.com/profile/01488032028009115263noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1077267275464072755.post-69858546139777571762011-08-05T17:53:00.000-07:002011-08-05T17:53:13.848-07:00Revoking a certificate and generating Certificate Revocation List.<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<div class="MsoNormal"><span lang="EN-US">Before we see the commands to revoke certificate and to generate CRL, we will try to understand what is the meaning of revoking a certificate and what is the use of CRL.</span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US">Revocation of certificate does not mean to invalidate the certificate. The certificate remains still valid even after the certificate has been revoked and user can still use the certificate. </span></div><div class="MsoNormal"><span lang="EN-US">Revocation means that the certificate is no more trustworthy. Whenever the "Certificate Authority" comes to know that the certificate’s private key has been compromised and its not safe to use the certificate anymore, the CA revokes the certificate and generates the CRL (Certificate Revocation List) and publishes the CRL on their website. So that the user’s of the certificate can see the revoked certificate and its advised not to use that certificate anymore. Since the CA does not know who all are using the certificate they issued to authenticate a particular user, the CRL is only best available solution to inform all the users that the certificate is no more trustworthy.</span></div><div class="MsoNormal"><span lang="EN-US"><br />
</span></div><div class="MsoNormal"><span lang="EN-US">To revoke a certificate use the below OpenSSL command-</span></div><div class="MsoNormal"><span lang="EN-US"><br />
</span></div><div class="MsoNormal"><span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 10.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Malgun Gothic"; mso-fareast-language: KO; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 1.0pt; mso-hansi-theme-font: minor-latin;"><i><b>openssl ca -config openssl.cnf -revoke Certificates/CertificateToRevoke.cer -keyfile Keys/RootCA.key -cert Certificates/RootCA.cer</b></i></span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">To generate a certificate revocation list use the below command-</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 10.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 11.0pt; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "Malgun Gothic"; mso-fareast-language: KO; mso-fareast-theme-font: minor-fareast; mso-font-kerning: 1.0pt; mso-hansi-theme-font: minor-latin;"><i><b>openssl ca -config openssl.conf -gencrl -out Certificates/CA.crl -keyfile Keys/RootCA.key –cert Certificates /RootCA.cer</b></i></span></div><div class="MsoNormal"><span lang="EN-US"><br />
</span></div><div class="MsoNormal">That's all we need to revoke a certificate. Please provide comments and suggestions to improve the post.</div></div>Manmohanhttp://www.blogger.com/profile/01488032028009115263noreply@blogger.com0tag:blogger.com,1999:blog-1077267275464072755.post-77962528281418999482011-07-03T08:02:00.000-07:002011-07-03T08:02:09.905-07:00Complete guide to set up a CA using OpenSSL, generate CSR from IIS7.0, create SSL certificate and Install certificates into IIS 7.0.<div dir="ltr" style="text-align: left;" trbidi="on"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Before we start please note that these certificates should only be used for development environment for testing. If you need certificate for production environment which is involved in critical transaction e.g. financial transactions, I suggest you to get the SSL certificates from a trusted Certificate Authorities e.g. Verisign, Thwate, to avoid security problems.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<b><u><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Step I : Setup CA using OpenSSL:-</span></u></b><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span lang="EN-US"><span lang="EN-US" style="font-family: Verdana, sans-serif;">First of all we need to set up the Certificate Authority (CA) to issue certificate. It is very easy to setup CA using OpenSSL. Just follow the steps mentioned below.</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">1. First download OpenSSL and install it.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">2. Set up the directory structure and files required by OpenSSL.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">3. Create a directory D:\OpenSSL\workspace and place the openssl.conf file in the workplace.</span><br />
<i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;"><br />
</span></i><br />
<i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">D:\OpenSSL\workspace></span></i><br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">D:\OpenSSL\workspace>mkdir CSR</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">D:\OpenSSL\workspace>mkdir Certificates</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">D:\OpenSSL\workspace>mkdir Keys</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">D:\OpenSSL\workspace>copy con database.txt^Z<b> </b></span></i></div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US">D:\OpenSSL\workspace>copy con serial.txt 01^Z</span></i></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">4. Generate a key for your Root CA. Execute the below OpenSSL command at workspace where you have openssl configuration file.</span><br />
<i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;"><br />
</span></i><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"></span><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">openssl genrsa -des3 -out Keys/RootCA.key 2048</span></i><br />
<i><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></i><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span lang="EN-US"></span>5. This will ask for passphrase for the key, please provide the passphrase and remember it. This will be used later.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">6. The next step is to create a self-signed certificate for our CA, this certificate will be used to sign and issue other certificates.</span><br />
<i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;"><br />
</span></i><br />
<i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt</span></i><br />
<i><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></i><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span lang="EN-US"></span>7. You will be asked to provide the following information:-</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Country Name (2 letter code) []:IN</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">State or Province Name (full name) []:Karnataka</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Locality Name (eg, city) []:Bangalore</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Organization Name (eg, company) []:Sample Inc</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Organizational Unit Name (eg, section) []:Web</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Common Name (eg, your websites domain name) []:Sample.com</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US">Email Address []:sample@sample.com</span></i><span lang="EN-US"></span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">8. Fill in this information and hit enter. Now you can see your CA’s certificate in the <i style="mso-bidi-font-style: normal;">Certificates </i>folder.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">Now your CA is ready to sign the certificates.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><span lang="EN-US" style="font-family: Verdana, sans-serif;">Now we will see how to generate CSR in the IIS7.0 Web Server and use it to create SSL certificate which will be installed in the IIS 7.0 and we will enable the SSL on IIS 7.0 using this certificate.</span><br />
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"></div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><b style="mso-bidi-font-weight: normal;"><u><span lang="EN-US">Step II : How to generate CSR from IIS 7.0</span></u></b><u><span lang="EN-US"> :-</span></u></span><br />
<span lang="EN-US" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><u><span lang="EN-US"></span></u><span lang="EN-US">1.<span style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;"> </span></span><span lang="EN-US">Go to start->run and type <i style="mso-bidi-font-style: normal;">inetmgr</i> and hit enter, it will open IIS Manager. Double click on “Server Certificates”, it will open the Server Certificates panel.</span></span></div><div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 72pt; mso-para-margin-left: 0gd;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><span lang="EN-US" style="font-family: Verdana, sans-serif;">2. Click on “Create Certificate Request…” on the <i>Actions </i>panel in the right hand side.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO_4iyr6wljq73BNBkBRbBWNpSqRfhZZZLS8iyqSiatiePrSJ3L2M_8qk0-PRwORdViuOfTQoVc2eBAm5GHwAMvmKjY9g6v4EBtcFszb5UaGLHZRqHU2_DzMSKLufkgwGB8pO0Onceofc/s1600/IISManager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="250px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO_4iyr6wljq73BNBkBRbBWNpSqRfhZZZLS8iyqSiatiePrSJ3L2M_8qk0-PRwORdViuOfTQoVc2eBAm5GHwAMvmKjY9g6v4EBtcFszb5UaGLHZRqHU2_DzMSKLufkgwGB8pO0Onceofc/s400/IISManager.png" t8="true" width="400px" /></span></a></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">3. Now you see the “Request Certificate” and fill in the information as show in the picture below and click Next.</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyHYLs1_FVbT_oqlI9AybUuuNavsfXfqkTHu0lvwn-eqjpnGQpFVAMfH284xlmMrERHp4LgP4nTx-cKE2xGoWtg-2hFzIQLq1qCPOjeNn0wJcAGlHs2gMdNJRcvKXPcp5RanlvyeXxEX4/s1600/DistinguishedName.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="301px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyHYLs1_FVbT_oqlI9AybUuuNavsfXfqkTHu0lvwn-eqjpnGQpFVAMfH284xlmMrERHp4LgP4nTx-cKE2xGoWtg-2hFzIQLq1qCPOjeNn0wJcAGlHs2gMdNJRcvKXPcp5RanlvyeXxEX4/s400/DistinguishedName.png" t8="true" width="400px" /></span></a></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">4. Now select the Cryptographic service provider and bit length and click Next.</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaaS9W1j5IGT4jPkIMSzeuGS6li_9_NjKXL3mR77zyYUeuzjw_0K8PaT-8UEnnlYSHUJ370Nf_SdRMzjSh7541rWJgKcTf9baL5sS7udkVdkF2kGLpwsDcZLYoDRARsv9EIRZ7gzPCnu4/s1600/CSPP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="303px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaaS9W1j5IGT4jPkIMSzeuGS6li_9_NjKXL3mR77zyYUeuzjw_0K8PaT-8UEnnlYSHUJ370Nf_SdRMzjSh7541rWJgKcTf9baL5sS7udkVdkF2kGLpwsDcZLYoDRARsv9EIRZ7gzPCnu4/s400/CSPP.png" t8="true" width="400px" /></span></a></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">5. Now save the CSR file in the <i>D:\OpenSSL\workspace\CSR</i> and click finish.</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0DFKeKjKetXRrVGCwuPzaX30me8c3jKmkRcWR8rcA-auKUpL0QBxV3ORNsIsrx2tyPSDDJyK06VjzEh2G0LcRr02r7stMOwk5xnRTJeXZ_cLd7lX2cIyLe0CFhLbxonM5pEbasFBECwU/s1600/FileName.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="241px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0DFKeKjKetXRrVGCwuPzaX30me8c3jKmkRcWR8rcA-auKUpL0QBxV3ORNsIsrx2tyPSDDJyK06VjzEh2G0LcRr02r7stMOwk5xnRTJeXZ_cLd7lX2cIyLe0CFhLbxonM5pEbasFBECwU/s320/FileName.png" t8="true" width="320px" /></span></a></div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Now you have your CSR file. It is readable file so you can open and see it if you want. It looks like this.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">-----BEGIN NEW CERTIFICATE REQUEST-----</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">MIIEYTCCA0kCAQAwdDELMAkGA1UEBhMCSU4xEjAQBgNVBAgMCUthcm5hdGFrYTES</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">MBAGA1UEBwwJQmFuZ2Fsb3JlMRMwEQYDVQQKDApTYW1wbGUgSW5jMQwwCgYDVQQL</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">DANXZWIxGjAYBgNVBAMMEVNhbXBsZUNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0B</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">AQEFAAOCAQ8AMIIBCgKCAQEAkatvSR7sL+1eVIVtwM95Nk4rG570kG5Zc0CVW2Mn</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">nqoZpccvMoTNlpVTGfoMniZzoLd8w3Uabq5JMfn+jSD4swum9kof59VdodPQO5dy</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">mmtOvbm+8p1Uc3jZDjDeygZ4Dr9E6rOgXCLh9ObuQzPmg9vxexVI5OZE+o+jIjTU</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">as/e6utRAGEHEtEaVkpID2zGVtoCiPnfDD1KPPl/JsQec2K+w62CM84rBgkewYtL</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">ke1SAq+ZRKkEfYmHo2d3uBV7csmqeX6L8jXEZp8qa8DHFIQjpsZDV1oNP5HgOX+o</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">7XHYSbZMtvptnw2qCqpkQzj21yQN5EpNdrXqMqfL7of3oQIDAQABoIIBpjAaBgor</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">BgEEAYI3DQIDMQwWCjYuMS43NjAwLjIwQgYJKwYBBAGCNxUUMTUwMwIBBQwLTWFu</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">bW9oYW4tUEMMFE1hbm1vaGFuLVBDXE1hbm1vaGFuDAtJbmV0TWdyLmV4ZTByBgor</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">BgEEAYI3DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABT</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">AEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUABy</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">AG8AdgBpAGQAZQByAwEAMIHPBgkqhkiG9w0BCQ4xgcEwgb4wDgYDVR0PAQH/BAQD</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">AgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZI</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">hvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUD</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">BAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcN</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">AwcwHQYDVR0OBBYEFIXgkK2n7HWtMeqA26IHESmWIFQDMA0GCSqGSIb3DQEBBQUA</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">A4IBAQBaZFyVqlEkscyvrlQ71sEignkKIsK/TwpDWKYF+ptNkOs21fMO9Q8N9OXP</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">6akh9IYBvLFxtGUuebeX4/sVCrk/mWK1mym1SqgvG6YEv68c7YiFQDViXSN+OTeT</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">S9/IqoOA8QwFZF/BPMUwNMJ8tmduUY+48H4cbZJEdtOtarn5HubTPNyuH2t0hzKo</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">TtQUI/v69fFudwxdaJRoTAxrnLpw7s2Fxg7orMUPtXsw87ufMZuw72ZGhQZsUHXU</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">5ESitPYPRf7QwkW6Tk6NwvGWK4gWhM7MT+HCdfJnPXmNzeFMri27rEVWCaBKSsdA</span></span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: x-small;">79/BkmHry0aYmbDT5g1pnh5oLGkc</span></span></div><span lang="EN-US" style="font-family: Verdana, sans-serif; font-size: x-small;">-----END NEW CERTIFICATE REQUEST-----</span><br />
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><b style="mso-bidi-font-weight: normal;"><u><span lang="EN-US" style="font-family: Verdana, sans-serif;">Step III : Create SSL certificate using our CA and generated CSR:-</span></u></b></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Execute the below OpenSSL command. It will create a SSL certificate named SampleCert.crt.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">D:\OpenSSL\workspace>openssl ca -policy policy_anything -config openssl.conf -cert Certificates/RootCA.crt -in CSR/CSR.txt -keyfile Keys/RootCA.key -days 360 -out Certificates/SampleCert.crt</span></i></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Now we have created the SSL certificates for IIS 7.0 Web Server. Now we will see how to install it on the IIS 7.0 and how to enable SSL on IIS 7.0.</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span style="font-family: Verdana, sans-serif;"><b style="mso-bidi-font-weight: normal;"><u><span lang="EN-US">Step IV : Installing SSL certificates in IIS 7.0</span></u></b><u><span lang="EN-US">:-</span></u></span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span lang="EN-US" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span lang="EN-US">1. Now again get back to the IIS Manager and Server Certificates.</span>On Actions panel click on “Complete Certificate Request…”.</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilX5vTRnlTItsSTdsLMKT0-Nja_Eq0AGqsOcgYKl2rxf36GAosZjJIQKoo5RzJidadEK9At2gDYWCIY0yWTmvCdbwyNmYdJlTDN4ui4E_8xlrZS8dtFErL2FFbgfptEgPOJJMBS7zSxSM/s1600/ServerCertificates.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="250px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilX5vTRnlTItsSTdsLMKT0-Nja_Eq0AGqsOcgYKl2rxf36GAosZjJIQKoo5RzJidadEK9At2gDYWCIY0yWTmvCdbwyNmYdJlTDN4ui4E_8xlrZS8dtFErL2FFbgfptEgPOJJMBS7zSxSM/s400/ServerCertificates.png" t8="true" width="400px" /></span></a></div><div class="separator" style="clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: small;"><span lang="EN-US"><br />
</span></span></span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;"><span lang="EN-US">2. </span><span lang="EN-US">Now provide the certificate which we just created and type in a friendly name for your certificate and click Ok.</span></span></span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHX6KC2QKx4nrrNkshJl-w-0cBzr2GuLdD14OmNhj2OTbt4FmxQzQPwvyf-UoH-1YRzeDcGq7mVDcPEBFX5K4GBcGtCt9xTE47oX6JUvGisE0GnOmsIiwAbDqDtUMkT5WSUSlGTy7OwAk/s1600/SpecifyCAResponse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="240px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHX6KC2QKx4nrrNkshJl-w-0cBzr2GuLdD14OmNhj2OTbt4FmxQzQPwvyf-UoH-1YRzeDcGq7mVDcPEBFX5K4GBcGtCt9xTE47oX6JUvGisE0GnOmsIiwAbDqDtUMkT5WSUSlGTy7OwAk/s320/SpecifyCAResponse.png" t8="true" width="320px" /></span></a></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;">3. Now you can see you certificate listed in the Server Certificates.</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG4pKDxdgqRsdX5NjvkTCJVjBRKEYyZL7jifNRcRWp3Ld1LxGxSA3XIhIexoP18SOcv_aJ29EnZxwzS1uLq0_m4XbIu2NC9uw0Oek6Ft4W-iaY-gf_yM6qeu8m8k3ExRavpAIVEhwV4wA/s1600/CertificateListed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="202px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG4pKDxdgqRsdX5NjvkTCJVjBRKEYyZL7jifNRcRWp3Ld1LxGxSA3XIhIexoP18SOcv_aJ29EnZxwzS1uLq0_m4XbIu2NC9uw0Oek6Ft4W-iaY-gf_yM6qeu8m8k3ExRavpAIVEhwV4wA/s400/CertificateListed.png" t8="true" width="400px" /></span></a></div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span lang="EN-US"><strong><u><span style="font-family: Verdana, sans-serif;">Step V : How to enable SSL on IIS7.0:-</span></u></strong></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">1. Now again to go to IIS manager and on Connections panel, navigate till your website e.g. Default Web Site in this case. Click on <i>Binding</i> on the <i>Actions</i> panel on right hand side.</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpvOKN6q_xwdg1eWli2Ey4oDgbWoaMOUbDFgRW2HUkb-4PnefxaZkyuJWY-foRzJepskuuYC_p3y7xftGjqE-rgqc2t0yk7tY1uBxQ5f43HBjZSLtYE2DOp31lW10m15hvPnG67hpwWgQ/s1600/DefaultWebSite.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="207px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpvOKN6q_xwdg1eWli2Ey4oDgbWoaMOUbDFgRW2HUkb-4PnefxaZkyuJWY-foRzJepskuuYC_p3y7xftGjqE-rgqc2t0yk7tY1uBxQ5f43HBjZSLtYE2DOp31lW10m15hvPnG67hpwWgQ/s400/DefaultWebSite.png" t8="true" width="400px" /></span></a></div><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: small;"></span></span><br />
<div><span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: small;"><br />
</span></span><br />
<span lang="EN-US"><span style="font-family: Verdana, sans-serif; font-size: small;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><span lang="EN-US">2. You will see the Site Bindings Box as below.</span> </span></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcOU9FcUIlNf48biF87OtHyoheIOWI77h80MTNTAJ28XYS0lXDR-95FiEgFjGdaRZXtF8XnpZUoTURX9ax6oJ3saUxZ77smspcZQ_ekkBDEk8UAa0LUYWvGbqteItrd9XgY_adMJi-gCQ/s1600/SiteBinding.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="148px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcOU9FcUIlNf48biF87OtHyoheIOWI77h80MTNTAJ28XYS0lXDR-95FiEgFjGdaRZXtF8XnpZUoTURX9ax6oJ3saUxZ77smspcZQ_ekkBDEk8UAa0LUYWvGbqteItrd9XgY_adMJi-gCQ/s320/SiteBinding.png" t8="true" width="320px" /></span></a></div><div class="MsoListParagraph" style="margin: 0cm 0cm 0pt 36pt; mso-list: l0 level1 lfo1; mso-para-margin-left: 0gd; text-indent: -18pt;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;">3. Click on the Add… button. And select https and then select your certificate from SSL certificates drop down box and click on the Ok.</span></div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFErMiSctzMh_BUlm4xqTZ8ZqTgVwekdRHiA3_nT0V5sneiizwzuxnzZ8X_jcyHHZ3kcUrzGC_XtOryf9LRZm0NMTfpVYIEcBLdaGRQn0Y-EZhyKI02LDqrc1E7HOXmhbmTn-Mw9TjpZw/s1600/AddSiteBinding.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><img border="0" height="174px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFErMiSctzMh_BUlm4xqTZ8ZqTgVwekdRHiA3_nT0V5sneiizwzuxnzZ8X_jcyHHZ3kcUrzGC_XtOryf9LRZm0NMTfpVYIEcBLdaGRQn0Y-EZhyKI02LDqrc1E7HOXmhbmTn-Mw9TjpZw/s320/AddSiteBinding.png" t8="true" width="320px" /></span></a></div><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span><br />
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">Now you can access your site with SSL enabled e.g. <a href="https://localhost/"><span style="color: blue;">https://localhost/</span></a>.</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span class="Apple-style-span" style="font-family: Verdana, sans-serif;"><br />
</span></div><div class="MsoNormal" style="margin: 0cm 0cm 0pt;"><span lang="EN-US" style="font-family: Verdana, sans-serif;">I hope this is useful. Please provide your comments and suggestions to improve my posts.</span></div></div>Manmohanhttp://www.blogger.com/profile/01488032028009115263noreply@blogger.com6tag:blogger.com,1999:blog-1077267275464072755.post-59616908212431846652011-07-01T06:20:00.000-07:002012-07-02T18:11:04.225-07:00Creating server/client certificate pair using OpenSSL.<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US"><span style="font-family: Verdana, sans-serif;">The server/client certificate pair can be used when an application trying to access a web service which is configured to authenticate the client application using the client ssl certificates.</span></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US"><span style="font-family: Verdana, sans-serif;">You can follow steps below to create server and client certificate using OpenSSL.</span></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Before creating server/ client certificate, we need to setup a self-signed Certificate Authority (CA) which can be used to sign the server/client certificates. First two steps will set up the CA. To create directory structure needed to setup CA please <a href="http://manmoahn-openssl-net.blogspot.com/2011/06/complete-guide-to-set-up-ca-using.html">see here</a>. </span></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<br /></div>
<ol style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Create a private key of CA.</span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl genrsa -des3 -out Keys/RootCA.key 2048</span></span></i></b></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<br /></div>
<ol start="2" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Create self-signed certificate of CA.</span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt</span></span></i></b></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<br /></div>
<ol start="3" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Create private key for the server.</span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl genrsa -des3 -out Keys/server.key 2048</span></span></i></b></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<br /></div>
<ol start="4" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Create CSR for the server.</span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl req -config openssl.cnf -new -key Keys/server.key -out CSR/server.csr</span></span></i></b></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<br /></div>
<ol start="5" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Create server certificate.</span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl ca -config openssl.cnf -days 360 -in CSR/server.csr -out </span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Certificates</span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">/server.crt -keyfile Keys/RootCA.key -cert </span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Certificates</span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">/RootCA.crt -policy policy_anything</span></span></i></b>
</div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<br /></div>
<ol start="6" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Create private key for the client.</span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl genrsa -des3 -out Keys/client.key 2048</span></span></i></b></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<br /></div>
<ol start="7" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Create CSR for the client.</span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl req -config openssl.cnf -new -key Keys/client.key -out CSR/client.csr</span></span></i></b></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<br /></div>
<ol start="8" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Create client certificate.</span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl ca -config openssl.cnf -days 360 -in CSR/client.csr -out </span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Certificates</span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">/client.crt -keyfile Keys/RootCA.key -cert </span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Certificates</span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">/RootCA.crt -policy policy_anything</span></span></i></b></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<br /></div>
<ol start="9" style="margin-top: 0cm;" type="1">
<li class="MsoNormal" style="margin: 0cm 0cm 0pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt;"><span style="font-family: Verdana, sans-serif;"><span lang="EN-US">Finally export the client certificate to pkcs format.</span><span lang="EN-US"></span></span></li>
</ol>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt 36pt;">
<b style="mso-bidi-font-weight: normal;"><i style="mso-bidi-font-style: normal;"><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">openssl pkcs12 -export -in </span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Certificates</span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">/client.crt -inkey Keys/client.key -certfile </span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Certificates</span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">/RootCA.crt -out </span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Certificates</span></span></i></b><b style="background-color: white;"><i><span lang="EN-US"><span style="font-family: Verdana, sans-serif;">/clientcert.p12</span></span></i></b></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0cm 0cm 0pt;">
<span lang="EN-US"><span style="font-family: Verdana, sans-serif;">Please provide your comments and suggestions to improve the post.</span></span></div>
<br />
<span style="font-family: Verdana, sans-serif;">Thanks,</span><br />
<span style="font-family: Verdana, sans-serif;">Manmohan.</span></div>Manmohanhttp://www.blogger.com/profile/01488032028009115263noreply@blogger.com5tag:blogger.com,1999:blog-1077267275464072755.post-27957412650566820782011-06-02T07:42:00.000-07:002011-07-03T08:00:55.725-07:00Creating SSL Certificates using OpenSSL.NET.<div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: Verdana, sans-serif;">If you are using OpenSSL.NET to create SSL certificate programmatically and don't know where to start this article might help you.</span><br />
<span style="font-family: Verdana, sans-serif;">First of all what is OpenSSL? OpenSSL is a cryptographic toolkit which is used to secure communication over web. OpenSSL provides a rich set of command line tools to create and manage SSL certificates.<br />
But if you want to do it programmatically, then .NET provides a small but usefull wrapper for OpenSSL that is known as OpenSSL.NET.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Now without wasting much of your time, I will show you how to create a SSL X509 certificate using OpenSSL.NET.<br />
First of all you must download OpenSSL.NET. Once you have downloaded it, you will see three dll files in the package i.e. ManagedOpenSsl.dll, ssleay32.dll and libeay32.dll.</span><br />
<span style="font-family: Verdana, sans-serif;">Before starting, make sure that you have added the refference to ManagedOpenSsl.dll in your project in visiual studio and ssleay32.dll and libeay32.dll are available in the your current working directory or in your path.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Now we are done with setting up OpenSSL.NET and here is the code to create the SSL certificates.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">###################################################</span><br />
<span style="font-family: Verdana, sans-serif;">// Create a configuration object using openssl.cnf file.<br />
<em><strong>OpenSSL.X509.Configuration cfg = new OpenSSL.X509.Configuration("Path to your openssl configuration file i.e. openssl.cnf");</strong></em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">// Create a root certificate authority which will have a self signed certificate.</span><br />
<span style="font-family: Verdana, sans-serif;"><em><strong>OpenSSL.X509.X509CertificateAuthority RootCA = OpenSSL.X509.X509CertificateAuthority.SelfSigned(cfg, new SimpleSerialNumber(),"Disinguish name for your CA", DateTime.<br />
Now, TimeSpan.FromDays(365));</strong></em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">// If you want the certificate of your root CA which you just create, you can get the certificate like this.<br />
<em><strong>X509Certificate RootCertificate = rootCA.certificate;</strong></em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">// Here you need CSR(Certificate Signing Request) which you might have already got it from your web server e.g. IIS7.0.<a href="http://manmoahn-openssl-net.blogspot.com/2011/06/complete-guide-to-set-up-ca-using.html">How to generate CSR on IIS 7.0</a><br />
<em><br />
</em></span><br />
<span style="font-family: Verdana, sans-serif;"><em><strong>string strCSR = System.IO.File.ReadAllText(@"Path to your CSR file");</strong></em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">// You need to write the CSR string to a BIO object as shown below.<br />
<em><strong>OpenSSL.Core.BIO ReqBIO = OpenSSL.Core.BIO.MemoryBuffer();<br />
ReqBIO.Write(strCSR);</strong></em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">// Now you can create X509Rquest object using the ReqBIO.<br />
<em><strong>OpenSSL.X509.X509Request Request = new OpenSSL.X509.X509Request(reqBIO);</strong></em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">// Once you have a request object, you can create a SSL Certificate which is signed by the self signed RootCA.<br />
<em><strong>OpenSSL.X509.X509Certificate certificate = RootCA.ProcessRequest(Request, DateTime.Now, DateTime.Now + TimeSpan.FromDays(365));</strong></em></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">// Now you can save this certificate to your file system.<br />
<em><strong>FileStream fs = new FileStream("Path to your file where you want to create the certificate with file name", FileMode.Create, FileAccess.ReadWrite);<br />
BinaryWriter bw = new BinaryWriter(fs);<br />
BIO bio = BIO.MemoryBuffer();</strong></em></span><br />
<span style="font-family: Verdana, sans-serif;"><em><strong>certificate.Write(bio);<br />
string certString = bio.ReadString();<br />
bw.Write(certString);</strong></em></span><br />
<span style="font-family: Verdana, sans-serif;">##############################################</span><br />
<span style="font-family: Verdana, sans-serif;"><br />
Finally make sure that you close all you BIO objects and File streams.<br />
<br />
<span style="font-family: Verdana, sans-serif;">Now you have a X509 Certificate and you install it in your web server.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Hope this is helpful. Please provide your valuable comments and suggestions to improve my posts.</span></span></div>Manmohanhttp://www.blogger.com/profile/01488032028009115263noreply@blogger.com8